You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Vyacheslav Tutrinov (Jira)" <ji...@apache.org> on 2020/10/30 06:58:00 UTC
[jira] [Created] (RANGER-3063) 404 http status response on
requesting an existing policy
Vyacheslav Tutrinov created RANGER-3063:
-------------------------------------------
Summary: 404 http status response on requesting an existing policy
Key: RANGER-3063
URL: https://issues.apache.org/jira/browse/RANGER-3063
Project: Ranger
Issue Type: Bug
Components: admin
Affects Versions: 2.0.0
Environment: Cloudera, CDP (CDH) 7.1.3
Hadoop - 3.1.1.7.1.3.0-100
Ranger - 2.0.0.7.1.3.0-100
Reporter: Vyacheslav Tutrinov
I caught a strange behavior of the ranger admin REST API.
The challenge was started as I saw that the 'cm_kms' service doesn't appear on the UI side however it exists in the REST API response.
Then the trying to get policies list for this service respond by the list that contains the single policy:
{code:bash}
[root@vm path]# curl -XGET -u user:********** -v http://my-ranger-server-host:6080/service/public/v2/api/service/cm_kms/policy
* About to connect() tomy-ranger-server-host port 6080 (#0)
* Trying 10.6.120.140...
* Connected to my-ranger-server-host (10.6.120.140) port 6080 (#0)
* Server auth using Basic with user 'admin'
> GET /service/public/v2/api/service/cm_kms/policy HTTP/1.1
> Authorization: Basic *********************
> User-Agent: curl/7.29.0
> Host: my-ranger-server-host:6080
> Accept: */*
>
< HTTP/1.1 200 OK
< Set-Cookie: RANGERADMINSESSIONID=42E2616A84477202A0CB4442C9C4EA88; Path=/; HttpOnly
< X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self'
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Content-Type-Options: nosniff
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Thu, 29 Oct 2020 07:11:15 GMT
< Server: Apache Ranger
<
[{"id":41,"guid":"52b42504-5798-4340-9da3-8e9188a3592f","isEnabled":true,"version":1,"service":"cm_kms","name":"all - keyname","policyType":0,"policyPriority":0,"description":"Policy for all - keyname","isAuditEnabled":true,"resources":{"keyname":{"values":["*"],"isExcludes":false,"isRecursive":false}},"policyItems":[{"accesses":[{"type":"create","isAllowed":true},{"type":"delete","isAllowed":true},{"type":"rollover","isAllowed":true},{"type":"setkeymaterial","isAllowed":true},{"type":"get","isAllowed":true},{"type":"getkeys","isAllowed":true},{"type":"getmetadata","isAllowed":true},{"type":"generateeek","isAllowed":true},{"type":"decrypteek","isAllowed":true}],"users":["keyadmin"],"groups":[],"roles":[],"conditions":[],"delegateAdmin":true},{"accesses":[{"type":"getmetadata","isAllowed":true},{"type":"generateeek","isAllowed":true}],"users":["hdfs"],"groups":[],"roles":[],"conditions":[],"delegateAdmin":true},{"accesses":[{"type":"getmetadata","isAllowed":true},{"type":"decrypteek","isAllowed":true}],"users":["hive"],"groups":[],"roles":[],"conditions":[],"delegateAdmin":true}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[],"serviceType":"kms","options":{},"validitySchedules":[],"policyLabels":[],"zoneName":"","isDenyAllElse":false}]
{code}
However the request for the specific policy by name 'all - keyname' responded by 404 status:
{code:bash}
[root@vm path]# curl -XGET -u user:********** -v http://my-ranger-server-host:6080/service/public/v2/api/service/cm_kms/policy/all%20-%20keyname
* About to connect() to my-ranger-server-host port 6080 (#0)
* Trying 10.6.120.140...
* Connected to my-ranger-server-host (10.6.120.140) port 6080 (#0)
* Server auth using Basic with user 'user'
> GET /service/public/v2/api/service/cm_kms/policy/all%20-%20keyname HTTP/1.1
> Authorization: Basic ***************************
> User-Agent: curl/7.29.0
> Host: my-ranger-server-host:6080
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Set-Cookie: RANGERADMINSESSIONID=2885FFB77C5B83345F5F6C0F4E7CB4D8; Path=/; HttpOnly
< X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self'
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Content-Type-Options: nosniff
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Thu, 29 Oct 2020 07:43:14 GMT
< Server: Apache Ranger
<
* Connection #0 to host my-ranger-server-host left intact
Not found
{code}
PUT request to update the policy responds the same way (404), but POST request to create policy with the same name responds by 400 status - a policy with 'all - keyname' already exists
But the similar call chain works (GET list of polcies, GET policy by name) perfectly for the 'cm_hdfs' service policies:
{code:bash}
[root@vm path]# curl -XGET -u user:*********** -v http://my-ranger-server-host:6080/service/public/v2/api/service/cm_hdfs/policy
* About to connect() to my-ranger-server-host port 6080 (#0)
* Trying 10.6.120.140...
* Connected to my-ranger-server-host (10.6.120.140) port 6080 (#0)
* Server auth using Basic with user 'admin'
> GET /service/public/v2/api/service/cm_hdfs/policy HTTP/1.1
> Authorization: Basic *************************
> User-Agent: curl/7.29.0
> Host: my-ranger-server-host:6080
> Accept: */*
>
< HTTP/1.1 200 OK
< Set-Cookie: RANGERADMINSESSIONID=9D112823529E0F1695CB94A4C5081C0E; Path=/; HttpOnly
< X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self'
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Content-Type-Options: nosniff
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Thu, 29 Oct 2020 07:44:32 GMT
< Server: Apache Ranger
<
[{"id":1,"guid":"3c1fafbb-bf6c-4916-9ae5-e36ec28a1071","isEnabled":true,"version":13,"service":"cm_hdfs","name":"all - path","policyType":0,"policyPriority":0,"description":"Policy for all - path","isAuditEnabled":true,"resources":{"path":{"values":["/*"],"isExcludes":false,"isRecursive":true}},"policyItems":[{"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true},{"type":"execute","isAllowed":true}],"users":["rangertagsync","hdfs"],"groups":["cloudera-scm","hadoop"],"roles":[],"conditions":[],"delegateAdmin":true}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[],"serviceType":"hdfs","options":{},"validitySchedules":[],"policyLabels":[],"zoneName":"","isDenyAllElse":false},{"id":2,"guid":"422c3e21-4162-43e8-a884-74791e6e4b39","isEnabled":true,"version":1,"service":"cm_hdfs","name":"kms-audit-path","policyType":0,"policyPriority":0,"description":"Policy for kms-audit-path","isAuditEnabled":true,"resources":{"path":{"values* Connection #0 to host vtutr01-vm0.bdauto.wandisco.com left intact
":["/ranger/audit/kms"],"isExcludes":false,"isRecursive":true}},"policyItems":[{"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true},{"type":"execute","isAllowed":true}],"users":["keyadmin"],"groups":[],"roles":[],"conditions":[],"delegateAdmin":false}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[],"serviceType":"hdfs","options":{},"validitySchedules":[],"policyLabels":[],"zoneName":"","isDenyAllElse":false}]
[root@vm path]# curl -XGET -u user:**************** -v http://my-ranger-server-host:6080/service/public/v2/api/service/cm_hdfs/policy/all%20-%20path
* About to connect() to my-ranger-server-host port 6080 (#0)
* Trying 10.6.120.140...
* Connected to my-ranger-server-host (10.6.120.140) port 6080 (#0)
* Server auth using Basic with user 'admin'
> GET /service/public/v2/api/service/cm_hdfs/policy/all%20-%20path HTTP/1.1
> Authorization: Basic *********************
> User-Agent: curl/7.29.0
> Host: my-ranger-server-host:6080
> Accept: */*
>
< HTTP/1.1 200 OK
< Set-Cookie: RANGERADMINSESSIONID=4179CB624F0F54402CAE4F6158A0082F; Path=/; HttpOnly
< X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self'
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Content-Type-Options: nosniff
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Thu, 29 Oct 2020 07:45:19 GMT
< Server: Apache Ranger
<
* Connection #0 to host my-ranger-server-host left intact
{"id":1,"guid":"3c1fafbb-bf6c-4916-9ae5-e36ec28a1071","isEnabled":true,"version":13,"service":"cm_hdfs","name":"all - path","policyType":0,"policyPriority":0,"description":"Policy for all - path","isAuditEnabled":true,"resources":{"path":{"values":["/*"],"isExcludes":false,"isRecursive":true}},"policyItems":[{"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true},{"type":"execute","isAllowed":true}],"users":["rangertagsync","hdfs"],"groups":["cloudera-scm","hadoop"],"roles":[],"conditions":[],"delegateAdmin":true}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[],"serviceType":"hdfs","options":{},"validitySchedules":[],"policyLabels":[],"zoneName":"","isDenyAllElse":false}
{code}
And IDE debugger says me that the filtered policies list size is equals to 0 (org.apache.ranger.rest.PublicAPIsv2#getPolicyByName)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)